Google rolls out HSTS

Google has begun its rollout of HTTP Strict Transport Security (HSTS) across its domains.

The HSTS automatically forces browsers to upgrade insecure HTTP connections to encrypted HTTPS. Google tried rolling it out at the end of last year but faced technical issues that knocked the Chocolate Factory's Santa tracking service offline.

"Ordinarily, implementing HSTS is a relatively basic process. However, due to Google's particular complexities, we needed to do some extra prep work that most other domains wouldn't have needed to do," said Jay Brown, senior technical program manager at Google security.

"For example, we had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access our core domain."

So far HSTS is only available on the google.com domain but the company will roll it out elsewhere as soon as it is able. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020